Browser Password Managers Being Exploited to Track Users

Third party scripts have been caught exploiting browser login managers to extract user information from websites for the purpose of tracking Web activity, a study claims. Scripts including Adthink and OnAudience have apparently been involved in abusing browser password managers to extract login information from websites.

As we mentioned, a report by Princeton’s Center for Information Technology Policy claims that certain scripts are using browser-based password managers to extract information like email addresses that can later be used as part of website traffic identifier tools. The user fills up login credentials on a certain website and asks the browser to save the information in its login managers. Once the user shifts to another page on the website, these scripts insert an invisible form, which then automatically gets filled by the embedded password manager.

Most major Web browsers have a saved logins feature that auto-fills information like usernames, passwords, and addresses. This feature doesn’t require user interaction, although some browsers like Chrome do not auto-fill the password until the user clicks/ touches somewhere on the webpage, the study says.

The Princeton report has identified two third-party scripts, Adthink and OnAudience, that are abusing these inbuilt login managers to extract user information. Adthink is alleged to send several hashes to the server of its parent company, AudienceInsights. Adthink also shares the information with data broker Acxiom.

OnAudience, on the other hand, is available mostly on Polish websites with ‘.pl’ extension. This script collects browser features including plugins, MIME types, screen dimensions, language, timezone information, user agent string, OS, and CPU information. Princeton’s report contradicts OnAudience’s claim that it uses only anonymous data.A user’s email address will almost never change — clearing cookies, using private browsing mode, or switching devices won’t prevent tracking. The hash of an email address can be used to connect the pieces of an online profile scattered across different browsers, devices, and mobile apps. It can also serve as a link between browsing history profiles before and after cookie clears.

“If a publisher directly embeds a third-party script, rather than isolating it in an iframe, the script is treated as coming from the publisher’s origin. Thus, the publisher (and its users) entirely lose the protections of the same origin policy, and there is nothing preventing the script from exfiltrating sensitive information,” is the reason behind the vulnerability, according to the report.

The report suggests certain countermeasures to decrease the chances of Web tracking. It recommends that publishers should shift login forms to subdomains, which is an engineering complexity. It also proposes for users to install ad blockers and tracking protection software to prevent against any such third party tracking. As for browsers, the simple solution is to disable login auto-fill.